According to a new report from digital trust technology provider Memcyco, most companies have little, if any, visibility into brand impersonation attacks. Because they lack the ability to detect these kinds of attacks, most companies only learn about them through the social media posts of customers who have been scammed, or through customer reports.

This lack of visibility might go some way towards explaining why just 6% of companies believe they’re actually able to protect their customers from such scams, which are a rising attack vector, used to facilitate many kinds of fraud and reap devastating financial and reputational damages on brands, Memcyco said in its report. 

Brand impersonation, or brandjacking, is a kind of fraud that involves cybercriminals creating lookalike websites that mimic a trusted brand to trick customers into transacting with the page and giving up their personal information. Most often, malicious actors will send a phishing email or SMS or post on social media, encouraging customers of real brands to click a link to what appears to be the brand’s website. Once customers click on the URL, they’re brought to an impersonated version of a brand’s website and are urged to enter their login details or credit card information, which can then be used to harvest user credentials, hijack or clone credit cards and steal money via fake transactions. 

Some kinds of brand impersonation scams can get quite creative, involving fake job ads, for example, or “malvertising”, which refers to fake product ads that appear to have been placed by a legitimate brand, but in fact directs users to an impersonated website. 

Brand impersonation attacks are extremely profitable, with the U.S. Federal Trade Commision reporting that hackers made off with more than $1 billion through such schemes in 2023 alone – up more than 85% in the last three years. One likely reason for this growth is their high success rate, as the hackers put a lot of effort into making their malicious sites appear as close to the original as possible, even using similar URLs. They can impact almost any company, but are especially common with larger brands due to their bigger customer bases. 

Memcyco’s survey of 200 directors and executives at companies operating transactional websites with at least 10,000 visitors per month illustrates why brands and customers alike need to be wary of brand impersonation scams. The responses indicate that 69% of all brands are aware of their websites being impersonated in the past to facilitate brandjacking attacks. What’s more, 87% of companies say they recognize brand impersonation as a growing cybersecurity concern. 

Although this recognition is an encouraging sign, the lack of visibility most definitely is not. Memcyco found that 37% of brands typically only realize their website has been impersonated when they see negative, “brand-shaming” posts on social media. All told, 66% of brands implied their customers are their primary source of intelligence into brand impersonation scams. 

According to Memcyco CEO Israel Mazin, the findings suggest that cybercriminals are increasingly turning to brandjacking precisely because of how easy it is for impersonated websites to fly under the radar. “Attackers rely on companies having limited visibility into these kinds of attacks,” he said. 

Despite recognizing that brand impersonation is a problem, few brands are actually doing much about it. According to Memcyco, 53% of respondents said they lack the cybersecurity tools to deal with brand impersonation attacks, while another 41% said they’re in a position to “partially” deal with them. Just 6% expressed confidence in their ability to prevent such attacks completely. 

Mazin said brand impersonators are taking advantage of a “glaring blindspot in cybersecurity”, namely the “inability of companies to protect their customers online”. 

Another notable finding of Memcyco’s report is that 81% of brands do not reimburse customers who lose out financially to brandjacking attacks. However, many brands understand that they’re likely going to be held responsible in the future anyway, as 48% indicated that they’re aware of new regulations that, if passed into law, will legally obligate them to reimburse customers that are fraud victims.

Memcyco offers an anti-website impersonation solution that aims to detect impersonated websites as soon as they appear online. Moreover, the solution protects customers from the “window of exposure” - from the time an impersonated website goes up until the moment it is taken down. During this time, customers are the most vulnerable to fall victim to scams. With Memcyco’s solution, customers that visit an impersonated website get an immediate Red Alert warning them of the danger, urging them not to proceed. Furthermore, Memcyco provides companies with full details of any attack perpetrated against their customers, providing the crucial visibility needed to prevent such attacks in the future.